070801 wireshark ethereal
TRANSCRIPT
-
8/6/2019 070801 WireShark Ethereal
1/32
2007 www.analysissolution.com
WireShark Training
Ray Tompkins, Analysis [email protected]
http://www.analysissolution.com/mailto:[email protected]:[email protected]://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
2/32
2007 www.analysissolution.com
Brought to You By: Analysis Solution
Onsite Network Analysis and Services
Analysis Solution provides network analysis and service. Our skills with network
protocols, LAN, WAN, Wireless environments and applications allow us todiagnose and define the problem, then apply the corrective action. During thisprocess our goal is to mentor your staff with the information that we gatheredand understanding the skill of "How We Obtained The Results".
Network Analysis Training
Training class providing a detail view of protocols, in how they flow through the
network. You will never look at packets the same again. This fascinating viewthrough an analyzer reveals "How Things Really Area" revealing what mysterieslie hidden on the wire. Key concepts, from actual measurements of through putand performance, to knowing if devices in the network are dropping packets,gives precise information before making the call "Houston We Have A Problem".
The goal of the course is to empower the analyst, with advanced troubleshootingtechniques. These techniques are advanced in nature but taught so they can be
processed for use is diagnosing the problems. The attendees will walk away withthe confidence that "I can solve this problem, let me at it".
For more information contact: Ray Tompkins,
Phone 832 643 5871
http://www.analysissolution.com/mailto:[email protected]:[email protected]://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
3/32
2007 www.analysissolution.com
Capture Interface
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
4/32
2007 www.analysissolution.com
Capture Interface
If you want to capture data frames with your wireless card, or ifyou do not see the Packets counter increment, Go toyour options and uncheck the Capture packets inpromiscuousmode
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
5/32
2007 www.analysissolution.com
Notes From The Field
We have complied a list of filters, organized them by type. They can be download fromour web site.
Capture Filters Sources:
Go to http://www.analysissolution.com Tech Notes WireShark
You will find instructions and other helps tips for WireShark
Note of Interest Update June 2007
As of Release of WireShark 99.6 the Capture Filter file cfilter was moved within the application
to c:/programs/wireshark/cfilter
If you have comments or suggestions or wish to share a filter please email [email protected]
Ray Tompkins
www.analysissolution.com
http://www.analysissolution.com/http://www.analysissolution.com/mailto:[email protected]://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/mailto:[email protected]:[email protected]:[email protected]://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
6/32
2007 www.analysissolution.com
Capture Filter Reference
Command Description
ether host MAC address Capture all packets to and from a MAC address
IP Filters
host ip address Capture all packets to and from an ip address
src host ip address Capture all packets from an ip address
dst host ip address Capture all packets to an ip address
TCP/UDP Filters
port port Capture all packets to and from a port number
src port port Capture all packets from a port number
dst port port Capture all packets to a port number
IP Network Filters
net net Capture all packets to and from a net
src net net Capture all packets from a net
dst net net Capture all packets to a net
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
7/32
2007 www.analysissolution.com
Capture Filter Examples
Capture only DNS frames
port 53
Capture HTTP and DNS frames port 80 or port 53
Capture all IP traffic
ip
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
8/32
2007 www.analysissolution.com
Capture Options Stop Capture Frame
This frame allows you to control when WireShark will stop capturing.
This will not save to a file.
If multiple options are checked, the first condition it reaches, will stop the analyzer.
Filtersare contained in this file
C:\Documents and .\Application Data\WireShark\cfilters
** If you choose to create your own cfilters file, remember to
leave the last line in this fileblank.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
9/32
2007 www.analysissolution.com
Capture Capture Filters
This screen allows you to Add or Delete Capture filters
Make the Filter name and Fil ter string the same to avoid confusion
2
1
Filtersare contained in this file
C:\Documentsand .\Application Data\WireShark\cfilters
** Remember to leave the last line in this file blank..
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
10/32
2007 www.analysissolution.com
Edit -> Preferences -> Columns
This screen allows you to add or move
columns around.
For consistency, I always recommend youname your columns the same as the
descriptions noted in the pull down
menu.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
11/32
2007 www.analysissolution.com
WireShark Screen Layout
Filename Of Current Trace File
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
12/32
2007 www.analysissolution.com
Sorting Columns
Output is Sorted By Frame No By Default
Click Info Header
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
13/32
2007 www.analysissolution.com
Neat Feature Drag and Drop
You can now drag and drop a file from Windows Explorer directly into WireShark.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
14/32
2007 www.analysissolution.com
Conversation List
You can now see a list of all the TCP, IP or MAC addresses.
You leave this screen up while capturing to see this in real time.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
15/32
2007 www.analysissolution.com
Resize Column
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
16/32
2007 www.analysissolution.com
Statistics: Neat Feature Conversation List
You can now see a list of all the TCP, IP or MAC addresses.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
17/32
2007 www.analysissolution.com
Statistics: Flow Graph
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
18/32
2007 www.analysissolution.com
Statistics: Conversation
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
19/32
2007 www.analysissolution.com
Statistics: Conversation continued
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
20/32
2007 www.analysissolution.com
Analyze: Expert Info
Expert information shows a summary of Errors, Warning.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
21/32
2007 www.analysissolution.com
Analyze: Display Filters
Display filters can be applied from the previous list or create new filters.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
22/32
2007 www.analysissolution.com
Analyze: Follow TCP Stream
Follow TCP streams can be between IP address or entire conversation
Traffic from A to B is marked in Red and from B to A is marked in Blue
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
23/32
2007 www.analysissolution.com
Analyze: Expert Info Composite
Expert information composite not only displays errors, warnings, notes and Chats
By clicking the Packets number allows you to jump to the packet within the trace.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
24/32
2007 www.analysissolution.com
Case Study: Please Open The Window
This case study a nightly server backup is not being completed in the allowed time. Aproduction server for an major oil company that contains seismic data for oilresearch. Important information that needs to be backup. This information is theimportant asset of company. It is also a very large amount of data.
Configuration: Production server connects to a Gigabit Ethernet connection. Itconnects to a Cisco router 6509, and on the same blade another Gigabit Ethernetconnection to the backup server.
Each part of the team, server, application and network personnel have work hard todetermine what could be the problem. The application logs have been reviewed, theserver team has review both logs for each sever. Also the network team has lookedat each interface for errors, searched through the router logs, but all have foundnothing that identifies the problem.
At the request of Analysis Solution a trace was taken. The following indicates theresults.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
25/32
2007 www.analysissolution.com
Case Study: Please Open the Window
Analysis: The receiving server was chocking on the data, unable to get the
information written to the disk drive.
Solution: Higher speed disk drives where installed. This increased the performanceof the Back Up server allowing it to keep up with the network and Production server.
See the following trace file and also the graphs that show the Window Size being
advertised by the Back Up server.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
26/32
2007 www.analysissolution.com
Case Study: Please Open the Window
Figure 1:1 Trace File Results (good through put with large packets size), we seegood through put, with su window size, item B.
Figure 1:2 Trace File Results (window size has changed to Zero)
In packet 377, item C the source IP address, item D is sending a window size ofZero, see item E.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
27/32
2007 www.analysissolution.com
Case Study: Please Open the Window Window Size
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
4:01:17PM
4:01:30PM
4:01:55PM
4:02:05PM
4:02:16PM
4:02:28PM
4:02:38PM
4:02:48PM
4:02:54PM
4:03:02PM
4:03:09PM
4:03:16PM
4:03:30PM
4:03:54PM
4:04:12PM
4:04:29PM
4:04:44PM
4:05:01PM
http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
28/32
2007 www.analysissolution.com
Case Study: Please Open the Window Disk Drive Upgraded
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
10,000
2:51:50
2:51:51
2:51:52
2:51:52
2:51:53
2:51:53
2:51:54
2:51:54
2:51:55
2:51:55
2:51:56
2:51:56
2:51:57
2:51:57
2:51:58
2:51:58
2:51:59
2:51:59
http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
29/32
2007 www.analysissolution.com
Question and Answer: Simulation Traffic Tools
Question: What tools are available for generating traffic to simulate traffic or data throughput?
Answer: One tool that is free is IPERF. It loads on each end, source and destination.This could be PC to PC, or Server to PC, and then you run the through put benchmarks. I use it in classes that I teach where we run several bench mark tests. Herewhere to find the tool and notes on how to use it.
http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
30/32
2007 www.analysissolution.com
Question and Answer: Performance Tools cont.
IPERF (free) Very handy FREE throughput tester. Using it is quick and easy;
Simply download IPERF http://dast.nlanr.net/Projects/Iperf/
Unzip into a folder on two pc's
Go to one PC and type iperf -s at the command prompt. This is a server
Go to the other PC and type iperf -c server_ipaddress
Other examples;
to run the iperf utility as a server service by typingiperf -s -D
to conduct an upload typeiperf -c server_ipaddress
to conduct a separate upload and download typeiperf -c server_ipaddress -r
to conduct a simultaneously upload and download typeiperf -c server_ipaddress -p
Chariot from IXIA
http://www.ixiacom.com/products/display.php?skey=ixchariot
SmartBits
http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2
http://www.analysissolution.com/http://dast.nlanr.net/Projects/Iperf/http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
31/32
2007 www.analysissolution.com
Question and Answer: Case Studies
Question: Can you recommend where to get case studies?
Answer: There are several books that contain case studies. I have listed them below foryour reference. Also visit my web site www.analysissolution.com Im in the processof adding PCast. They are 10 minutes in length and cover various topics, all focusedon Protocol Analysis.
Network Analysis and Troubleshooting
J. Scott HaugdahlISBN 0-201-43319-2
Optimizing Network TrafficMicrosoft PressISBN:: 073560648X
http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/ -
8/6/2019 070801 WireShark Ethereal
32/32
2007 www analysissolution com
Question and Answer:
Question: What type of triggers are available for WireShark-Ethereal?
Answer: WireShark-Ethereal states that the only triggers are to Stop under the flowingconditions and to Restart.
Stop Capture:
Stop the capture on different triggers like: amount of captured data, captured time, captured
number of packets.
Restart a Running Capture:
A running capture session can be restarted with the same capture options than the last time, this
will remove all packets previously captured. This can be useful, if some uninteresting packets are
captured and there's no need to keep them.
Restart is a convenience function and equivalent to a capture stop following by an immediate
capture start. A restart can be triggers in one of the following ways:
Using the menu item "Capture/ Restart".
Using the toolbar item "Restart".
Further Notes:
You can reduce the amount of traffic captures by using capture filters.
You can also capturing into multiple files while doing a long term capture, and in addition the
option to form a ring buffer of these files, keeping only the last x files, useful for a "very long term"
capture.
http://www.analysissolution.com/http://www.analysissolution.com/